TL;DR: Plug 'N Play is a good idea. .pnp.js is a bad idea. .pnp.json would be a better idea.

To preface this, I think Plug 'N Play is a great idea. My concerns come from the dependency analysis side. My day job is building analysis tools at FOSSA, and I've worked with a lot of package managers while building the FOSSA CLI.

.pnp.js is much harder to analyse than node_modules

There should be a method to access the Plug 'n Play API in a language-agnostic way without requiring a Node.JS runtime.

At FOSSA, we do dependency analysis in a variety of environments. We need to provide results reliably across these environments, including environments where Node.JS is not available. This use case is surprisingly common for us: